-
Notifications
You must be signed in to change notification settings - Fork 9
AppArmor
pyllyukko edited this page Jul 30, 2024
·
8 revisions
- Documentation
- Keep an eye out for
info="profile transition not found". This happens when profiles have e.g. Px ("the new process should run under another profile that matches the name of the executable") and the profile they are referring to is not in use.
There's some issues with enforce mode:
Sep 10 22:24:34 debian8 dhclient: can't create /var/lib/NetworkManager/dhclient-8cba46aa-5e5c-43c6-8234-1936f411ed9a-eth0.lease: Permission denied
Sep 10 22:24:34 debian8 dhclient: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied
Sep 10 22:24:34 debian8 dhclient: Open a socket for LPF: Operation not permitted
Sep 10 22:24:34 debian8 dhclient:
Sep 10 22:24:34 debian8 dhclient: If you think you have received this message due to a bug rather
Sep 10 22:24:34 debian8 dhclient: than a configuration issue please read the section on submitting
Sep 10 22:24:34 debian8 dhclient: bugs on either our web page at www.isc.org or in the README file
Sep 10 22:24:34 debian8 dhclient: before submitting a bug. These pages explain the proper
Sep 10 22:24:34 debian8 dhclient: process and the information we find helpful for debugging..
Sep 10 22:24:34 debian8 dhclient:
Sep 10 22:24:34 debian8 dhclient: exiting.
Switch back to complain: aa-complain /etc/apparmor.d/sbin.dhclient
16.3.2020: Still applies with Debian 10.
Problems ahead:
Sep 10 22:27:43 debian8 sshd[2439]: Did not receive identification string from XXX.YYY.ZZ.X
Sep 10 22:27:43 debian8 sshd[2440]: PAM audit_log_acct_message() failed: Operation not permitted
Sep 10 22:27:43 debian8 sshd[2440]: fatal: Access denied for user XYZ by PAM account configuration [preauth]
AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/sshd" pid=4970 comm="sshd" capability=21 capname="sys_admin"
Complain: aa-complain /etc/apparmor.d/usr.sbin.sshd
man: can't open the manpath configuration file /etc/manpath.config
Complain: aa-complain /etc/apparmor.d/usr.bin.man
16.3.2020: Still applies with Debian 10.
type=AVC msg=audit(1473578605.051:569): apparmor="DENIED" operation="file_lock" profile="/etc/cron.daily/logrotate" name="/etc/logrotate.conf" pid=1984 comm="logrotate" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
type=AVC msg=audit(1473578605.051:570): apparmor="DENIED" operation="open" profile="/etc/cron.daily/logrotate" name="/etc/logrotate.d/" pid=1984 comm="logrotate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[21572]: AVC apparmor="DENIED" operation="open" profile="netstat" name="/proc/21572/net/udplite6" pid=21572 comm="netstat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0